covert.io

security + big data + machine learning

I stumbled on this recently. It is a small collection of reports/publications from Sandia National Labs on using Machine Learning and Predictive Analytics for Computer Network Defense. Here is what is contained in the PDF:

At Endgame we have been working on a system for large scale malicious DNS detection, and Myself and John Munro recently presented some of this work at FloCon.

Abstract:

Clairvoyant Squirrel: Large Scale Malicious Domain Classification

Large scale classification of domain names has many applications in network monitoring, intrusion detection, and forensics. The goal with this research is to predict a domain’s maliciousness solely based on the domain string itself, and to perform this classification on domains seen in real-time on high traffic networks, giving network administrators insight into possible intrusions. Our classification model uses the Random Forest algorithm with a 22-feature vector of domain string characteristics. Most of these features are numeric and are quick to calculate. Our model is currently trained off-line on a corpus of highly malicious domains gathered from DNS traffic originating from a malware execution sandbox and benign, popular domains from a high traffic DNS sensor. For stream classification, we use an internally developed platform for distributed high speed event processing that was built over Twitter's recently open sourced Storm project. We discuss the system architecture as well as the logic behind our model's features and sampling techniques that have led to 97% classification accuracy on our dataset and the model's performance within our streaming environment.

</table>
This was a great [series](http://hortonworks.com/blog/big-data-security-part-one-introducing-packetpig/) [of](http://hortonworks.com/blog/big-data-security-part-two-introduction-to-packetpig/) [articles](http://hortonworks.com/blog/packetpig-finding-zero-day-attacks/) from the guys at [Packetloop](https://www.packetloop.com/) on using [PacketPig](https://github.com/packetloop/packetpig) for large scale pcap analysis including offline intrusion detection using Snort over TBs of pcaps and security analytics.
--Jason

A coworker told me about this project today, and I thought I would share since it looks promising.

Packetpig is an open source project hosted on github by @packetloop that contains Hadoop InputFormats, Pig Loaders, Pig scripts and R scripts for processing and analyzing pcap data. It also has classes that allow you to stream packets from Hadoop to local snort and p0f processes so you can parallelize this type of packet processing.

Update (2013-08-01): This project is no longer maintain since we port all this functionality over to BinaryPig. Use BinaryPig instead. For more information on BinaryPig, see Slides, Paper, or Video.

This is a quick post. I wrote this little framework for using Hadoop to analyze lots of small files. This may not be the most optimal way of doing this, but it worked well and makes repeated analysis tasks easy and scalable.

I recently needed a quick way to analyze millions of small binary files (from 100K-19MB each) and
I wanted a scalable way to repeatedly do this sort of analysis. I chose Hadoop as the platform,
and I built this little framework (really, a single MapReduce job) to do it. This is very much a
work in progress, and feedback and pull requests are welcome.

The main MapReduce job in this framework accepts a Sequence file of

1

<Text, BytesWritable>

where the

1

Text

is a name and the

1

BytesWritable

is the contents of a file. The framework unpacks the bytes of
the

1

BytesWritable

to the local filesystem of the mapper it is running on, allowing the mapper to run
arbitrary analysis tools that require local filesystem access. The framework then captures stdout and stderr from the
analysis tool/script and stores it (how it stores it is pluggable, see

1

io.covert.binary.analysis.OutputParser

).

Building:

mvn package assembly:assembly

Running:

JAR=target/hadoop-binary-analysis-1.0-SNAPSHOT-job.jar
# a local directory with files in it (directories are ignored for now)LOCAL_FILES=src/main/java/io/covert/binary/analysis/
INPUT="dir-in-hdfs"OUTPUT="output-dir-in-hdfs"# convert a bunch of relatively small files into one sequence file (Text, BytesWritable)
hadoop jar $JAR io.covert.binary.analysis.BuildSequenceFile $LOCAL_FILES$INPUT# Use the config properties in example.xml to basically run the wrapper.sh script on each file using Hadoop# as the platform for computation
hadoop jar $JAR io.covert.binary.analysis.BinaryAnalysisJob -files wrapper.sh -conf example.xml $INPUT$OUTPUT